A New Way to Leak

With the Obama administration’s furious war against whistleblowers who reveal abuses and illegality by the government, especially the executive branch, the New Yorker is rolling out a new way for sources to turn over incriminating evidence that the public should know about. It was coded by the last Aaron Swartz, the open-source crusader who committed suicide a few months ago.

Aaron Swartz was not yet a legend when, almost two years ago, I asked him to build an open-source, anonymous in-box. His achievements were real and varied, but the events that would come to define him to the public were still in his future: his federal criminal indictment; his leadership organizing against the censorious Stop Online Piracy Act; his suicide in a Brooklyn apartment. I knew him as a programmer and an activist, a member of a fairly small tribe with the skills to turn ideas into code—another word for action—and the sensibility to understand instantly what I was looking for: a slightly safer way for journalists and their anonymous sources to communicate…

In New York, a computer-security expert named James Dolan persuaded a trio of his industry colleagues to meet with Aaron to review the architecture and, later, the code. We wanted to be reasonably confident that the system wouldn’t be compromised, and that sources would be able to submit documents anonymously—so that even the media outlets receiving the materials wouldn’t be able to tell the government where they came from. James wrote an obsessively detailed step-by-step security guide for organizations implementing the code. “He goes a little overboard,” Aaron said in an e-mail, “but maybe that’s not a bad thing.”

By December, 2012, Aaron’s code was stable, and a squishy launch date had been set. Then, on January 11th, he killed himself. In the immediate aftermath, it was hard to think of anything but the loss and pain of his death. A launch, like so many things, was secondary. His suicide also raised new questions: Who owned the code now? (Answer: he willed all his intellectual property to Sean Palmer, who gives the project his blessing.) Would his closest friends and his family approve of the launch proceeding? (His friend and executor, Alec Resnick, reports that they do.) The New Yorker, which has a long history of strong investigative work, emerged as the right first home for the system. The New Yorker’s version is called Strongbox; it went online this morning.

A big win for transparency, which I expect to be very useful very quickly.

9 comments on this post.
  1. Gregory in Seattle:

    Excellent.

  2. theschwa:

    How long until some politician breathlessly warns this tech might used by terrorists to communicate??! (never considering that if the government was not cracking down on whistleblowers, this tech never would have needed to be created in the 1st place)

  3. Gregory in Seattle:

    @theschwa #2 – But if the government were not cracking down so hard on whistleblowers, the terrorists would be able to communicate openly! Or something.

  4. jaxkayaker:

    “It was coded by the last [sic] Aaron Swartz…”

    The “late” Aaron Swartz?

  5. John Pieret:

    Oh, dang. As an old guy, I was hoping this was about a different kind of leak.

  6. Marcus Ranum:

    The terrorists (if they were at all sophisticated) could do better pretty easily. All they’d have to do is steal a riff from the kidporn traders and use virtual machine images, staged around the ‘net, accessible via ssh VPNs.

    But the terrorists’ security is fairly lame. As we saw from Bin Laden, they rely on operational security and shortcut the technical aspects to a large degree. A little incompetence there goes a long way. And as we know from Khalid Shayk Mohammed, whose laptop was unencrypted when they captured him – operational security is really not those guys’ strong point. Terrorism isn’t the threat, here – it’s actually the US government watching itself more than anything else – all of which smacks to me of the kind of internal fragmentation that happens a generation or two before things collapse to the point of a putsch.

  7. Artor:

    I hope they call the new service, “The Schwartz’s Child Radius,” since the project was Aaron Schwartz’s baby, and if you drop documents there, they can escape the black hole of gov’t secrecy. But that’s just me geeking out.

  8. D. C. Sessions:

    Artor, you’re dating yourself. Radius authentication hasn’t been used for ages.

  9. bryanfeir:

    @D.C.Sessions:
    Unfortunately, as someone who has had to deal with setting up enterprise-level wireless security, I can reliably say that there are a great many Radius servers still in operation out in the world. I’ve had to help interface with some of them. We have a Radius server here in the test lab, because we need to test against it all too often.

Leave a comment

You must be